Difference between revisions of "Native App Security"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(Android Support)
Line 23: Line 23:
 
* Rules for apps installed on Android devices <ref name='android'></ref>
 
* Rules for apps installed on Android devices <ref name='android'></ref>
 
* [https://developer.android.com/google/play/licensing/server-side-verification Adding Server-Side License Verification to Your App]
 
* [https://developer.android.com/google/play/licensing/server-side-verification Adding Server-Side License Verification to Your App]
 +
* [https://developer.android.com/google/play/licensing App Licensing]
 
*[https://github.com/TransparentHealth/poet Pre Oauth Entity Trust] describes a means to represent third-party application endorsement for health care applications. POET’s goal is to help consumers distinguish between applications that have an endorsement versus applications that have no pedigree (i.e untrusted and could be malicious).
 
*[https://github.com/TransparentHealth/poet Pre Oauth Entity Trust] describes a means to represent third-party application endorsement for health care applications. POET’s goal is to help consumers distinguish between applications that have an endorsement versus applications that have no pedigree (i.e untrusted and could be malicious).
 
* Android App list of [[Data Category|Data Categories]] that require [[User Consent]]. https://support.google.com/googleplay/answer/6270602?hl=en
 
* Android App list of [[Data Category|Data Categories]] that require [[User Consent]]. https://support.google.com/googleplay/answer/6270602?hl=en
 +
 
===Apple iPhone Support===
 
===Apple iPhone Support===
 
* Rules for apps installed on Apple devices are (not clear)
 
* Rules for apps installed on Apple devices are (not clear)

Revision as of 14:37, 23 July 2019

Full Title and Meme

An application that is installed on a user's computing device with full power to act as the user.

Context

  • The day when a personal computer was for running applications for the user is long gone, never to return.
  • Today a personal computer depends on cloud based service for nearly all of its functionality.
  • Some of those sites are willing to use a trusted User Agent, typically a web browser from a well-known and trusted vendor for rendering its content.
  • The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is no longer just your computer any longer.
  • For the case where the user is not forced to allow an application to run on their personal device, see the page Web Site Security.

Problems

  • One of the worst case scenarios for Native App security is that of payments made directly from a user's bank account without the user selected user agent (browser) assuring that the user consents to the payment.
  • In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.
  • The article Watch Out for a Clever Touch ID Scam Hitting the App Store shows how unscrupulous apps can fool the user in to granting access to their bank accounts.
  • A Web View is a display of information from a Web Site. There is no trustworthy indication that the Native App has correctly displayed the information that it obtained from the Web Site.

Solutions

  • The Native App exposes its name and the web site that backs it in a manner that allows the user to make a meaningful trust decision.
    • Android play store requires[1] any app that uses a brand name service to be securely bound to a URL that properly exposes that brand.
    • Apple has not released any plans to improve app naming security as of 2018-09-21.
  • Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
  • Same Site was designed to help, but as of (2018-09-21) is not consistently applied.

Android Support

Apple iPhone Support

Windows Support

  • Windows (UWP) settings are on all Windows 10 computer, but do not seem to be shown anywhere on the web. Just navigate start -> settings -> privacy -> app settings.
  • Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful.

References

  1. 1.0 1.1 Handling Android App Links. https://developer.android.com/training/app-links/

Other References